ERM Outputs Do Not Equal Reports

There’s a common misconception that ERM outputs means reports…

It’s easy to understand why – reports are something that people are comfortable with. They are tangible and usually don’t rock the boat since they simply lay out already known information in a glossy presentation.

It’s no wonder then that over 40% of executive respondents in NC State’s annual State of Risk Oversight survey claim they are “not at all” or “minimally” satisfied with the quality of reports they receive. Even risk professionals who responded to my 2018 ERM challenges survey explain their frustration with just reporting what everyone already knows.

Although I have published an in-depth piece on risk reporting, the reality is that reports are just a subset of overall ERM outputs.  To put it a little differently, an output is not just writing a “report,” but about decisions that need to be made and actions that need to be taken before a report is even drafted.

ERM professionals need to think bigger picture and about how to work with executives to affect decision-making.

In the beginning of my ERM career, I read that at its core, the job of an ERM professional is to ask questions and challenge assumptions.

Many risk professionals simply stick with reports because they are easier to deal with. Being involved with making actual decisions and determining the actions needed to achieve those goals is, by default, uncomfortable and confrontational.

During the decision-making process, the ERM professional’s job is to provide a unique, unbiased perspective and to ensure that executives are considering both internal dependencies and external factors for the options before them. ERM is there to provide a dose of reality and even a slight dose of paranoia. In a recent presentation, risk manager turned CEO Julian Talbot explains that “healthy paranoia” on the part of executives is a good thing.

Too often, executives can be overly optimistic, even giddy, about a certain goal they have.

In order to be a valuable part of the organization, ERM has to provide a reality check. You don’t have to be a rocket scientist (…or even a veteran risk professional) to know that real-life scenarios are not all puppy dogs and rainbows.

The end goals of these conversations, and ERM’s participation, are twofold:

1.  Ensure executives are taking the right amount of risk to achieve their desired result.


2.   Executives understand both the threats and opportunities to achieving their goal and acknowledge the risk being taken.

Just because executives have arrived at a decision doesn’t mean ERM’s job is finished.

Once a decision is made, a course of action to achieve that goal has to be planned out.

The fact is, though, that all actions have risk around them, so in addition to ensuring executives make informed decisions, ERM has to help determine the pros and cons around each possible course of action for achieving that goal.

For a particular course of action, questions to ask include:

  • What specific resources (time, people, financial) will we need?
  • Will these resources be available when we need them?
  • Is there anything from outside the company that could get in the way?
  • Can we address it?

(By the way, did you notice that in each of these questions, you never seek the work “risk”? That is intentional, as along the lines of the conversation in last week’s post, risk management is really simply good business management…)

Once risks around actions are understood and addressed, it’s time for everyone from executives on down the line to go forth and conquer.

At this point, ERM can then create “reports” based on stakeholder needs, if reports are even needed.

Now that goals are set, actions for achieving those goals have been determined, and risks around these have been identified, it is time to report the results out to different stakeholders.

What these reports contain will be driven by a host of factors, the foremost being the audience, or stakeholders. Examples of stakeholders include the Board, regulators, executives, employees, key investors, vendors, and more.

Once you have identified the stakeholder or audience your report is intended for, there are several other organization-specific questions to consider, the first of which is – what specifically are they interested in? Is it…

  • The final decision?
  • Specific information within that decision (i.e. did you look at specific scenarios?)
  • What drove the final decision?
  • Who was involved in the decision? Was it cross-functional or were certain individuals included because of potential impact?

Norman Marks explains it well in his book World-Class Risk Management when he says – “Rather than focusing on the form of a report, I believe we should focus on what information the users of that report need.”

Understanding the information the report’s users or audience needs is by far the most important issue to address. But in order to provide them with a superb report, you then need to know their preferred communication style. Will your report need to include data and supporting evidence or just strictly the outcome?

Remember, you are not reporting “top risks,” but instead reporting on what the organization wants to achieve, how it will achieve it, and any supporting information.

Once you understand the audience’s needs and their preferred communication style, you’re ready to determine the best way to succinctly and clearly communicate that with the audience.

It may seem like a lot of preparation, but taking these steps simplifies the process and helps you produce a report or output that will be valuable to the intended audience. Albert Einstein says it best:

If I had an hour to solve a problem, I’d spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.

Only by taking the time to think about the problem in-depth (the reason we think about root cause analysis and scenario analysis) will the solution be the best fit for the problem.

Although I can’t provide specifics, there are some general guidelines on what some audiences will be looking for. Two common audiences besides executives are regulators and the Board.

1.   Regulators

Relevant regulatory agencies, be they local, state, federal, or any others depending on your industry and location, will be looking for assurance you are running the company well overall. They’re interested in solvency, compliance with laws, and if you are as consumer-friendly as possible.

A list of risks with scores and mitigation information will not satisfy their needs.

Instead, they want to know what your organization is doing to address any risks around specific concerns like solvency/financial viability.

2.   The Board

A company’s Board of Directors should be acting as a watchdog of management and challenging their assumptions to ensure any blind spots are not missed. They will want to know how management is running the company and how they plan on reaching goals in a legal and ethical way.

The Board will likely want to know the considerations around a decision and any resources (people, time, money) it will take to carry out that decision. Other parameters they may be interested in include a timeline and any dependencies.

One thing to notice between these two audiences is what one mentions and the other does not.

You should notice that the section regarding the Board doesn’t mention the word risk (again), just decisions and how the company plans to reach those goals. That’s because well managed organizations integrate risk into decision-making at every level – it’s not treated as a separate issue, but rather an integral part of managing a company.

You likely learned that simply reporting a list of risks will not provide the value executives, the Board, and others need from ERM. While it may be difficult and take you out of your comfort zone, providing healthy skepticism and an unbiased perspective about threats and opportunities is what executives truly need…

In your role, are you an active participant in the decision-making process, or do you simply report on top risks and mitigation activities?

I invite you to share your thoughts and experiences regarding ERM “outputs” and how you provide a unique perspective to decision-makers in your organization. Leave a comment below or join the conversation on LinkedIn.

And if you are struggling to move ERM beyond a reporting function in your organization, please contact me to discuss your specific situation today.

Featured image courtesy of Romain V via

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Receive Our Weekly Blog Updates

Meet Carol Williams, SDS Founder & Lead Strategist

To our readers:

This blog was launched to provide strategy and risk practitioners with a go-to resource to better guide their efforts within their companies. Thank you for bringing me and my team along to be part of your journey towards better risk management, strategic planning and execution, and overall decision-making. Happy reading!

Find more SDS Insights